Privacy International’s new complaint against GCHQ is like pissing in the wind

GCHQ

Fresh from its success against HMRC, Privacy International (PI) is now taking on GCHQ. It announced Tuesday that it has “filed a legal complaint demanding an end to the unlawful hacking being carried out by GCHQ which, in partnership with the NSA, is infecting potentially millions of computer and mobile devices around the world with malicious software that gives them the ability to sweep up reams of content, switch on users’ microphones or cameras, listen to their phone calls and track their locations.”

This complaint, however, will be like pissing in the wind.

Since it is a complaint against the intelligence services it has to be raised with the UK’s Investigatory Powers Tribunal. Now, if you think my comment is a bit OTT, I invite you to consider the assessment of the Home Affairs Committee – Seventeenth Report: Counter-terrorism, published just last month. In particular, look at Section 6: Oversight of the security and intelligence agencies. It says,

…we wish to take this opportunity to note that in its latest annual report, the Investigatory Powers Tribunal has failed to disclose how many cases were decided in favour of the complainant. The 2010 (inaugural) annual report of the Investigatory Powers Tribunal was a forty page document. The 2011 report was a three page statistical release. The 2012 annual report was a two paragraph new story on its website… The statistics which have been produced by the Investigatory Powers Tribunal indicate that out of 1468 [complaints] the Tribunal has received it has decided in the favour of ten complainants. None of the ten successful complaints were made against the security service.

So only 0.68% of complaints to the Investigatory Powers Tribunal are upheld – and none of those relate to complaints against the intelligence services despite 30% of the 2010 complaints being leveled against an intelligence agency.

Sir Anthony May

There are two other officers also responsible for oversight of GCHQ: the Interception of Communications Commissioner (Sir Anthony May), and the Intelligence Services Commissioner (Sir Mark Waller). Also last month, on the same day that the ECJ ruled the European Data Retention Directive to be invalid, the Interception Commissioner’s annual report was laid before parliament. He considered at some lengths GCHQ, RIPA and the Snowden files.

It is ultimately a matter of policy whether the interception agencies, duly authorised under RIPA 2000 Part I Chapter I and subject to its safeguards, should continue to be enabled to intercept external communications, so far as they are lawfully and technically able, in order to assist their functions of protecting the nation and its citizens from terrorist attack, cyber attack, serious crime and so forth. If the policy answer to that question is yes (which I personally should have thought was obvious)…
2013 Annual Report of the Interception of Communications Commissioner

He is, then, personally predisposed towards GCHQ’s international hacking habits.

His report also asks, “Do the interception agencies misuse their powers under RIPA 2000 Part I
Chapter I to engage in random mass intrusion into the private affairs of law abiding UK citizens who have no actual or reasonably suspected involvement in terrorism or serious crime?”

And it answers, “The interception agencies do not engage in indiscriminate random mass intrusion by misusing their powers under RIPA 2000 Part I.” Now, since the Tribunal will undoubtedly query the commissioner on whether Privacy International’s complaint is valid, we can begin to see that it’s not going to get very far.

Sir Mark Waller
source: The Guardian

But let it not be said that the overlookers providing oversight on GCHQ are not sufficiently thorough in their overlooking. This is part of the Intelligence Services Commissioner’s testimony, verbatim, to the Home Affairs committee:

Chair: You went down to GCHQ.

Sir Mark Waller: Yes.

Chair: You went to see who there?

Sir Mark Waller: I saw the second head of the agency, in fact.

Chair: How did you satisfy yourself? It seems, from your comment, that what you did was you had a discussion with them, you heard what they had to say and you have accepted what they had to say.

Sir Mark Waller: Certainly.

Chair: Is that it?

Sir Mark Waller: Certainly.

Chair: Just a discussion?

Sir Mark Waller: Certainly.

Chair: Nothing else?

Sir Mark Waller: Certainly.

It’s not as if Privacy International is demanding very much. It is just seeking from the Investigatory Powers Tribunal:

A declaration that the matters set out in the complaint are well founded and GCHQ’s conduct has been unlawful, an injunction restraining any similar future conduct, an order requiring the destruction of any information unlawfully obtained and a public judgment.

But to say that Privacy International’s claim against GCHQ in face of these guardians of the public good is just pissing in the wind is probably an understatement – pissing into a force 8 gale is more accurate. It’s never going to happen.

But there is just one glimmer. Once PI has exhausted all national options it should be able to take the matter to the European Court – the same court that recently struck down the Data Retention Directive and has just ruled against Google.

Diplomat to be new head of GCHQ

Robert Hannigan — new head of GCHQ

The new head of GCHQ is neither a spy by trade nor a hard-hitting political bully — he is a diplomat. Robert Hannigan, selected to replace Sir Iain Lobban, as head of Britain’s spy agency GCHQ comes out of the Foreign Office and is a former adviser to Tony Blair in Northern Ireland.

Ex-colleagues say choice of Foreign Office diplomat as GCHQ chief suggests government is leaving door open to reform
Robert Hannigan: GCHQ director who can balance secrecy and accountability — Guardian

The implication is clear: maybe, just maybe, Cameron has realised the severity of not just public concern and distrust over GCHQ, but the dismay of our European political allies. It will take some serious diplomacy to soothe some very ruffled feathers. It already seems likely the Britain will be excluded from the EU’s Schengen-routing and Schengen-cloud (see here for details); and that would put the country at a severe trade disadvantage in our most important export market.

The Guardian goes on to give an example of Hannigan’s diplomacy:

Hannigan rose from being the head of communications in the Northern Ireland Office to running its political affairs department. At one particularly critical moment in the peace talks in 2007, Hannigan helped overcome an impasse between Sinn Féin’s Gerry Adams and the DUP’s Ian Paisley. The latter wanted an adversarial arrangement with the parties glaring at each other across a table; Adams wanted them sitting side by side, as partners. Hannigan suggested a diamond-shaped table as a compromise.

The best of all possible worlds will be that Hannigan’s brief is to open up GCHQ to some form of public transparency. The greater likelihood, however, is that his brief is to pull the diplomatic wool over everyone’s eyes to allow GCHQ to continue as is.

 

Cameron welcomes the Interception Commissioner’s Report, but ignores the European Court ruling

On Tuesday the European Court of Justice ruled that the EU Data Retention Directive breaches the European Convention on Human Rights (details here, European Court dumps the Data Retention Directive and here, The ECJ has declared the Data Retention Directive to be invalid – but what actual effect will it have?). This is particularly important to current intelligence agency debates, since it involves the retention of communications metadata. While the spy agencies and governments insist that this is not personal information since it does not include content, the court started from the basis that it is personal information and concluded that its retention interferes with people’s “fundamental rights to respect for private life and to the protection of personal data.”

David Cameron: prime minister of the UK

With amazing synchronicity, also on Tuesday, David Cameron presented (‘laid before’) parliament the UK Interception Commissioner’s annual report. “The report makes clear,” said Cameron, “the Commissioner’s view that RIPA is fit for purpose, despite advances in technology. He also finds that interception agencies undertake their roles conscientiously and effectively, and that public authorities do not engage in indiscriminate random mass intrusion.”

This is an excellent example of politicking. The commissioner finds that RIPA is capable of doing what it was designed to do; he does not question whether it is right to be able to do that (which would be beyond his remit). Cameron says that “interception agencies undertake their roles conscientiously and effectively, and that public authorities do not engage in indiscriminate random mass intrusion,” as if they are the same thing.

But they are not – ‘public authorities’ are defined in the Freedom of Information Act as bodies such as government departments, the armed forces, local government, the NHS, and the police. The ‘interception agencies’ are basically GCHQ and its allied intelligence agencies. Nobody really believes that the police, the NHS and the army is involved in ‘random mass intrusion’; but Cameron is conflating the ideas to suggest that the interception agencies are also not involved in ‘random mass intrusion’ when clearly they are.

Tom Watson: Labour MP

What Cameron did not do is make any mention of the European Court ruling which throws into doubt the legality of parts of RIPA and pretty much any random mass intrusion. It was left to Labour MP Tom Watson to point this out in a subsequent letter to Cameron:

The speed with which you responded to publication of Sir Antony May the Interception Commissioner’s report yesterday was impressive.

I did not notice a response to the European Court of Justice’s important – and relevant – decision [1] on the ‘wide-ranging and particularly serious’ interference of the Data Retention Directive with two fundamental rights of our citizens, the right to privacy and protection of personal data. Perhaps I missed it.

Watson goes on to say that the Interception Commissioner

in fact expresses significant concern about the potential for institutional overuse of powers to request information on communications data, inadequate records kept, and lengthy periods for over [sic] which public bodies store such data. Again, contrary to your statement, the Commissioner draws attention to the variable practices of law enforcement and intelligence agencies and the absence of regulation of the storage and use of communications data, in contrast to regulation on contents data. Here the Commissioner concludes that he is not satisfied that data retention periods are justified and he is not able to comment on the use to which such data is put.

We know that GCHQ is involved in random mass intrusion through the top secret NSA documents provided by Edward Snowden. Much of this interception would appear to be done by tapping the underwater fibre connections between the UK and the USA outside of UK national waters and therefore outside of RIPA’s jurisdiction. Someone in London sending a confidential email to someone in Newcastle might easily find the message routed via the United States. While outside of the UK, if we are to believe the Snowden files, that message would likely be intercepted by either or both GCHQ and the NSA. So for the UK government to claim that GCHQ operates strictly within UK laws is consequently disingenuous. Even if GCHQ obeys the law, this does not mean it does not engage in indiscriminate random mass intrusion.

Meanwhile, while the UK ignores the European Court’s ruling (and will delay doing anything it is told to do for as long as possible), a Swedish ISP has acted unilaterally and taken the ruling at face value. Without waiting for the Swedish Data Retention enactment to be repealed, Bahnhof CEO Jon Karlung decided to delete all retained user data, and stop collecting any more it immediately. On Wednesday, the company announced (Google translation): “Yesterday Bahnhof chose to discontinue storage of customer traffic and also delete existing data. Jon Karlung, president, called it a ‘day of joy’.”

Swedish Justice Minister Beatrice Ask was not best pleased, and told Radio Sweden, “Swedish law still applies. It is not the case that you can start applying other conditions straight away.”

But Bahnhof’s position is clear. “If we end up in court so we simply appeal to the EU Court of Justice. Their judgment from yesterday is extremely well written.”

You can just imagine (because that’s all it will ever be), BT and other UK ISPs turning round to Cameron and saying, “Listen Dave, what you’re telling us to do is illegal, so we’re simply not going to do it anymore.”

 

The Heartbleed bug and SSL implementations

Like the tree falling in the forest, we simply do not know if the Heartbleed bug was ever exploited. The problem is that exploiting it makes no sound.

The Heartbleed bug is a fault in the implementation of the Heartbeat extension to OpenSSL. The effect is to expose up to 64kb of supposedly encrypted traffic in plaintext. That plaintext would likely include the encryption keys, user credentials (ID and password) and message content. But exploiting the bug leaves no trace in the logs, so in theory it could have been used by hackers at any time or ever since the flaw was introduced several years ago.

This potential problem is huge. “Just one application that uses OpenSSL, Apache, is used to run 346 million public websites or about 47 percent of the Internet today” explains Kevin Bocek, Vice President, Security Strategy & Threat Intelligence at Venafi. “And the problem is even larger since this doesn’t include the tens of millions of behind-the-firewall applications, devices and appliances that run Apache and use OpenSSL.”

An update to OpenSSL has been released, and hopefully the faulty implementations are being fixed. The encryption keys are being changed and all should be well soon. But will it?

Once the SSL keys are known, then all previous messages could be decrypted. So if any attacker has been sniffing and storing messages, and has at any time obtained those keys, then those stored messages could be decrypted (unless forward secrecy – which provides new keys for each message – was being used). Forward secrecy is only now becoming more popular for precisely such a concern.

The elephant, of course, is the NSA and GCHQ (and to a lesser extent probably every other national intelligence agency in the world). On the plus side, there is no indication in the Snowden files released so far to suggest that the NSA knew about or used this bug. The downside is that unless they wrote about it, we would probably never know.

Meanwhile, researchers have been trying to discover which services use vulnerable versions of OpenSSL and have put their users at risk. Filippo Valsorda produced a test site to check whether particular sites are vulnerable. “Very quickly, it became clear that popular sites like Google, Facebook, Twitter, Dropbox, were not affected, but other sites (for instance, dating site OKCupid, Imgur, Flickr, Stackoverflow and Eventbrite) were at risk,” commented Graham Cluley this morning.

More worrying, however, is that Yahoo was affected (although it has been fixed now). The problem with Yahoo is that we know that GCHQ had been intercepting and storing Yahoo traffic.

Qualys has also added Heartbleed detection to its SSL test site. The advantage of this site is that it provides a detailed analysis of a website’s overall SSL implementation. The two graphics show summary the results from Yahoo (after fixing Heartbleed: A) and a site operated by a major security company (which should really do better: F).

Although Yahoo has now fixed the Heartbleed bug, Yahoo users should all consider changing their passwords – just in case.

Censorship is alive and well in Britain today

Last week I proposed an experiment. Index on Censorship had discussed what it calls ‘censorship by omission’; suggesting that a form of censorship exists in Britain through simple lack of information. This is censorship by omission rather than censorship by suppression.

At the same time, Der Spiegel published details from the Snowden files indicating that GCHQ had been involved in hacking German satellite communications companies. Glenn Greenwald described it in The Intercept:

One undated document shows how British GCHQ operatives hacked into the computer servers of the German satellite communications providers Stellar and Cetel, and also targeted IABG, a security contractor and communications equipment provider with close ties to the German government. The document outlines how GCHQ identified these companies’ employees and customers, making lists of emails that identified network engineers and chief executives. It also suggests that IABG’s networks may have been “looked at” by the NSA’s Network Analysis Center.

My ‘experiment’ was simple. We know that the UK government has been trying to suppress reporting on GCHQ revelations through its involvement in the physical destruction of hard disks at The Guardian. So, I suggested, “Over the next few days it will be worth seeing just how much coverage this very major, very important story actually generates in the British mainstream press.”

The result? None.

It’s not a scientific experiment because I haven’t read all of the British mainstream national press from cover to cover since that time. Instead, this morning I used Google and searched on keywords from the Greenwald paragraph:

GCHQ Stellar Cetel IABG germany satellite communications

Searching the web got 3390 returns. In the top four pages (that’s all I checked) there is no single national British newspaper included. (My ‘experiment’ came in at #10, last on the first page.)

Searching the news had just five hits: Register, Help Net Security, IT News, TIME and Engadget.

Nothing whatsoever from any of the British national press.

The conclusion has to be that Britain suffers under a regime of censorship by omission. What we don’t know is how much of this ‘omission’ is effected by government pressure, nor whether Google has been persuaded to reduce the search rankings of any published articles — making it actually censorship by suppression.

Don’t let the government or the tech giants fool you into thinking anything is changing

When Bruce Schneier left the employ of BT, he finally got off the pot. His natural inclinations can now be seen. He still hasn’t criticised BT despite it being obvious that BT is no more innocent than any of the big American telecoms companies — but he told me (by email) at the time that he tried to avoid getting involved in foreign politics.

Bruce Schneier — the ex-BT, anti-surveillance privacy guru

He hasn’t been 100% consistent in this. When Swedish journalists discovered Swedish involvement in the MITM NSA/GCHQ hacking program known as Quantum, he said, “Both Quantum and FoxAcid are NSA/GCHQ programs to attack computer users. The fact that Sweden is involved in these programs means that Sweden is involved in active attacks against internet users. It is not just passive monitoring. This is an active attack.”

One day we may yet hear what he knows about BT’s cooperation with GCHQ (Tempora et al).

In the meantime, he is now no longer backward in commenting on surveillance in general and the NSA in particular. An article in The Atlantic last week warns us not to listen uncritically to the protestations of either the NSA or the tech giants that now appear to be up in arms against this NSA hacking and surveillance.

The tech giants (Google, Facebook, Yahoo, Microsoft etcetera) all claim to be doing what they can to prevent further snooping. But they are not doing the one thing that would work — they are not encrypting user data on servers in a way that would be impossible for governments to demand the keys. And the reason they are not doing this is simply because the vendors and the governments both want the same thing — to be able to read our data.

The best we have are caveat-laden pseudo-assurances. At SXSW earlier this month, CEO Eric Schmidt tried to reassure the audience by saying that he was “pretty sure that information within Google is now safe from any government’s prying eyes.” A more accurate statement might be, “Your data is safe from governments, except for the ways we don’t know about and the ways we cannot tell you about. And, of course, we still have complete access to it all, and can sell it at will to whomever we want.”
Don’t Listen to Google and Facebook: The Public-Private Surveillance Partnership Is Still Going Strong

The reality is that for so long as the vendors want access to our data, the governments will be able to demand it. Neither of that is changing; although both sides are trying to pretend it is.

Britain: a land of censorship by omission

Let’s all try a little experiment.

Index on Censorship warned today about what it calls ‘censorship by omission’ in the UK. The suggestion is not that the British are told what to think by the UK press, but that they are controlled over what they are allowed to think about. It suggests that serious news can be omitted from print while newspapers guide their readers to less important, or even old, news.

The British news spectrum was recently obsessed with Labour politicians Harriet Harman and Patricia Hewitt, who worked for the National Council for Civil Liberties (now ‘Liberty’) in the 1970s. That council granted affiliate status to the now-banned Paedophile Information Exchange (PIE). The Daily Mail made a huge splash about its PIE investigation in February, despite uncovering no new information. That paper alone had reported the same story in 1983, 2009, 2012 and 2013. Eventually the BBC, online world and print media all covered the controversy, meaning more worthy issues lost precedence.
British news blind spots: Omission and obscurity

The result, warns Index on Censorship, is a form of censorship by omission:

We’re denied investigation or campaigning on vital issues because nobody knows they exist.

So here’s our experiment. Let’s see over the next few days just how much coverage we get on the Snowden files released today by Der Spiegel. Quoted by Glenn Greenwald’s new publication, The Intercept, this includes:

One undated document shows how British GCHQ operatives hacked into the computer servers of the German satellite communications providers Stellar and Cetel, and also targeted IABG, a security contractor and communications equipment provider with close ties to the German government. The document outlines how GCHQ identified these companies’ employees and customers, making lists of emails that identified network engineers and chief executives. It also suggests that IABG’s networks may have been “looked at” by the NSA’s Network Analysis Center.

The ultimate aim of GCHQ was to obtain information that could help the spies infiltrate “teleport” satellites sold by these companies that send and receive data over the Internet. The document notes that GCHQ hoped to identify “access chokepoints” as part of a wider effort alongside partner spy agencies to “look at developing possible access opportunities” for surveillance.

In other words, infiltrating these companies was viewed as a means to an end for the British agents. Their ultimate targets were likely the customers. Cetel’s customers, for instance, include governments that use its communications systems to connect to the Internet in Africa and the Middle East. Stellar provides its communications systems to a diverse range of customers that could potentially be of interest to the spies – including multinational corporations, international organizations, refugee camps, and oil drilling platforms.
Der Spiegel: NSA Put Merkel on List of 122 Targeted Leaders

So let’s be very clear here. This is a direct accusation that GCHQ has been hacking into the telecommunications products of friendly companies in allied nations. Over the next few days it will be worth seeing just how much coverage this very major, very important story actually generates in the British mainstream press.

Here’s my prediction — and I genuinely hope I am proved very wrong: there will be serious coverage in the Guardian and Independent (read by very few who don’t already know that GCHQ is hack-crazy and law-breaking); some coverage in the Telegraph (read by hardly anyone); dismissive, brief coverage by the BBC; and preciously little else.

Let’s see.

The UK government is simply lying about data protection reform

This coming week the European Justice and Home Affairs Council (ie, national ministers from the individual national governments) will meet in Brussels. There are several items on the agenda.

Top of the list in a memo released by Viviane Redding is reform of the data protection laws. She says,

I am confident we will be able to build on the momentum injected into the negotiations by the Greek Presidency at the last informal Council meeting in January. Seeing the latest progress, I will continue working with Ministers for an adoption of the data protection reform before the end of this year.

Bottom of the list in a ministerial statement from Theresa May is reform of the data protection laws. She says,

There will be a state of play/orientation debate on the Proposal for a General data Protection Regulation. The UK continues to believe that this proposal is far from ready for a general agreement, and that no such agreement can occur until the text as a whole has been approved. The proposal remains burdensome on both public and private sector organisations and the Government would not want to see inflexible rules on transfers outside the European Economic Area which do not reflect the realities of the modern, interconnected world.

And yes, they really are talking about the same thing. Most of Europe has already agreed the data protection reform proposals; but the UK doesn’t like it and won’t play.

The problem is, providing more protection for our personal information is difficult for the UK. It would upset the three most powerful organizations in the country: GCHQ, Google and Facebook. GCHQ would have its ability to collect our private messages, photos, home videos and internet browsing habits severely curtailed — and of course nobody would want to see that.

Google and Facebook would no longer be able to ship our personal information to servers outside of the UK; that is, the US, from where the NSA/FBI could demand access while declining to allow us to be told (assuming they need to since GCHQ will probably have already intercepted the data via its taps on the fibre cables that run between the two continents and simply handed it en masse to the NSA for storage and safe keeping).

Since these negative arguments would not prove popular to the British public, they are being hidden in spurious and frankly false claims that data protection will cost business. Yes there will be some cost in protecting our data (not nearly as much as the government would like us to believe); but that will be more than compensated by the lower cost of doing business with dozens of different data protection regimes. The net effect of reforming data protection will be greater data protection at a lower overall cost.

But Theresa May doesn’t want us to understand that. She and David Cameron would like us to believe that they are protecting us when they are really just protecting vested interests and actually selling us down the river. They are willing to trade our privacy to keep GCHQ and big American business happy.

The Miranda judgment is a sad day for Britain

There was never any doubt that the detention of David Miranda at Heathrow under section 7 of the Terrorism Act was in fact legal. Now the arbiters of The Law have confirmed it in a judgment delivered earlier this week.

There is some good news, some bad news and a lot of not-unexpected news in this judgment. The not-unexpected news is that the Terrorism Act allows GCHQ to do just about whatever it pleases. The manufactured War against Terror has had the effect of turning the UK into a police state under the control of the security services and enforced by Her Majesty’s Constabulary. Anything can be defined, with a little imagination, as a potential act of terrorism; and therefore under the jurisdiction of the over-broad power of the Terrorism Act.

The good news is that the police did not immediately nor automatically accept GCHQ’s request for a port stop (ie, detention) on David Miranda as he passed through Heathrow. It was not until the police received a detailed request precisely applied to the Terrorism Act that they were effectively forced to respond. From the ruling:

“We assess that MIRANDA is knowingly carrying material, the release of which would endanger people’s lives. Additionally the disclosure, or threat of disclosure, is designed to influence a government, and is made for the purpose of promoting a political or ideological cause. This therefore falls within the definition of terrorism and as such we request that the subject is examined under Schedule 7.”
from the David Miranda judgment

Compare this to my assessment at the time:

So, three tests for terrorism. Applying these to David Miranda, and assuming that his laptop contained Snowden documents (which would be reasonable suspicion),

1. the stated purpose of the leaks is to influence government
2. the stated purpose could be described as both ‘political’ and ‘ideological’
3. the effect, according to government, could result in increased terrorist attacks against the UK (that is, “a serious risk to the health or safety of the public”) and is also designed “to interfere with or seriously to disrupt an electronic system” (that is, GCHQ’s Tempora surveillance system).

I think it is quite clear that under the Terrorism Act, David Miranda is a terrorist.
Was David Miranda’s detention a legal and reasonable application of the Terrorism Act?

The bad news is that this is absurd. David Miranda is clearly not a terrorist. That means that what he was doing was an act of terrorism. That means that helping a journalist (in this case Glenn Greenwald) do his job, which most people would define as being in the public interest, can in itself be an act of terror — and that, frankly, is scary.

The Arbiters of The Law effectively confirm that the invocation of the Terrorism Act removes all other freedoms and rights:

In my judgment the Schedule 7 stop was a proportionate measure in the circumstances. Its objective was not only legitimate, but very pressing. The demands of journalistic free expression were qualified in the ways I have explained. In a press freedom case, the fourth requirement in the catalogue of proportionality involves as I have said the striking of a balance between two aspects of the public interest: press freedom itself on one hand, and on the other whatever is sought to justify the interference: here national security. On the facts of this case, the balance is plainly in favour of the latter.

This is a sad day for natural justice. But we cannot blame the judges. Their function is to interpret the law. Nor can we blame the police. Their function is to enforce the law. The blame rests solely on our weak politicians, under the sway of over-powerful intelligence services, who make the laws. It is the intelligence services, through threats and blackmail, who get their wishes translated into law. It is weak politicians who have sold out the people.

Message to Mr Obama: Do not underestimate European anger

Introduction
The United States would be well advised not to dismiss European anger over the NSA — but so far the US doesn’t seem to be taking the EU’s concerns seriously. Consider the safe harbour agreement, and the growing movement to suspend it.

Safe harbour is an official arrangement that allows American companies to circumvent the European data protection laws. These laws prohibit the export of personal European data to any country that does not have comparable data protection laws. The United States does not. On the face of it, then, this would stop companies like Google and Yahoo and Facebook operating in Europe since they ‘export’ their users’ data to servers in the US.

To avoid this, the EU and US developed the Safe Harbour. Provided individual companies are certified to provide a comparable level of data protection to that required in the EU, safe harbour allows US companies to store EU data in the US. That certification can be provided by a qualified third-party, or it can be self-certification. One of the conditions included is that personal EU data will not be passed on to third parties.

But this requirement is clearly being breached by the NSA’s Prism programme. It doesn’t matter whether US cloud companies are giving EU data to the NSA willingly or even knowingly — that it happens is in contravention to safe harbour. So the mood in Europe is simple: if safe harbour isn’t being honoured, it would be better to suspend it. If this were to happen as things stand, companies like Google and Facebook would no longer be able to operate in Europe.

Why I don’t think America is taking this threat seriously
In December 2013, a US think tank called Future of Privacy Forum (FPF) published a report concluding, “It would be unwise at this stage of the Safe Harbor to pull back on this effective program.” It claims that safe harbour is working — when Prism shows it is not.

FPF’s first argument is that “eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data.” Seriously? Is FPF really suggesting that since the NSA will disregard the law, we shouldn’t bother having any laws?

Its second argument is that even US companies that allow their safe harbour certifications to lapse are “still subject to FTC Section 5 enforcement for any substantive violations of
the Safe Harbor principles committed while it claims to be a member.” Luckily, we can test that assertion because the FTC has just made enforcement on 12 US companies for that very infringement.

Following complaints, the FTC took action against the companies which resulted in settlements. The settlement agreements now prohibit the companies from falsely stating to be Safe Harbour certified.
FTC takes safe harbor enforcement action against 12 US corporations

So, the punishment for ignoring safe harbour rules is to agree to stop ignoring safe harbour rules; which can be done via self certification.

This is not the behaviour of a country that is taking Europe seriously.

Is it even possible for Europe to suspend safe harbour?
This is the crux of the problem. America clearly believes that it would be impossible: Google, Facebook, Microsoft, Yahoo etc, etc are so deeply woven into the social and economic fabric of Europe that it would not dare, in the final analysis, to pull the plug. That, I fear, would be a catastrophic underestimate of European determination.

Consider some of Europe’s recent announcements. It is preparing itself for a life without US tech giants, and even a life without the UK. (Incidentally, David Cameron will rapidly discover how insignificant the UK will be considered by the US if it can no longer influence the EU in favour of the US; and GCHQ, like the NSA, can no longer spy on Europe.)

Firstly, the EU has declared it wishes to be an honest broker between US and UN ownership of internet governance. In other words, the European bloc is no longer in blind support of the US position — it is preparing for, and in doing so it is making inevitable, a time when US control is removed.

Secondly, Angela Merkel has indicated a Franco-German intent to build a European internet outside of the NSA’s reach. US companies will either have to agree to play by European rules, or be excluded from Europe. (That, of course, applies equally to the UK and GCHQ. Nigel Farage of UKIP wants the UK to leave the EU; Cameron, who doesn’t, is close to getting the UK excluded by default.)

Faced with such a decision, the US companies will take a commercial position and play by the rules of what will effectively be a heavily policed virtual internet within and for Europe. Microsoft has already broken ranks and said it will ensure European data remains in servers within Europe. The problem for Microsoft will come when it receives a FISC order demanding EU data from those European servers. The danger for the United States is that under such circumstances, some of those companies will emigrate from America in order to maintain their European presence.

So, as I said at the beginning, the US would be well-advised to take Europe seriously. Europe is older and more patient than America. It can and will take the long view over this issue.